The standard definition of risk appetite is “the amount of risk you are willing to take in the pursuit of objectives”.
That is not a clear explanation that is in plain business language and makes obvious business sense to everybody from the board room to the people in the trenches.
The primary problem is the idea that there is an “amount of risk”.
Ask a safety practitioner what is the amount of risk that should be taken that somebody might be killed or suffer a serious injury.
How do you calculate an “amount of risk” that spans not only the entire enterprise, but different sources of risk such as compliance, safety, customer relations, reputation, competitor, economic, cash flow, third and fourth-party, cyber, human capital, and so on?
How does a risk appetite statement enable people across the extended organization, at various levels, make the informed and intelligent decisions necessary to achieve objectives?
I think there is a better way that should be at least considered.
The twist is to ask:
How much am I willing to spend to ensure that the possibility of such and such happening and affecting my objectives (a range of effects or consequences and their likelihoods) is within my desired range?
For example, how much am I willing to spend to ensure that the possibility of a significant compliance failure is low enough to be acceptable – a risk I am willing to take?
How much am I willing to spend so that there is a less than a 5% likelihood, say, of a cyber breach that would cause major disruption that I value at $10 million?
How much am I willing to spend on customer relations or safety measures to ensure… and so on.
This is what executives have been doing for ages. It is how they run the business.
But first they need to know:
- What might happen (a range of possible consequences)?
- What is the likelihood of each level of consequence?
- How would this affect the achievement of objectives and the success of the organization?
- Should I take that risk?
- What are my options and how would further investment change the possibilities (level and/or likelihood of the range of consequences)?
- What would that cost and is it worth it?
- What are the options for that cash or other resource (opportunity cost)?
- How would a reduction (!) in spending change the possibilities?
We don’t think enough about the last point.
We also don’t think enough about whether we are getting a solid, acceptable ROI when we invest in addressing a source of risk.
What do you think? Is this better than trying to explain to top management and the board what “risk appetite” is and whether the organization is exceeding it (usually after the fact)?